Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: rapid7
Published: 2019-11-06T18:30:42.787547Z
Updated: 2024-09-17T04:24:03.024Z
Reserved: 2019-01-07T00:00:00
Link: CVE-2019-5642
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2019-11-06T19:15:12.360
Modified: 2019-11-13T14:28:18.777
Link: CVE-2019-5642
Redhat
No data.